After years of negotiations, the European Union finally adopted a data flows framework ensuring ‘adequate’ data privacy for European data transferred to the United States on Monday, said a European Commission press release. The EU-US Data Privacy Framework is in force as of July 10th, allowing free and ‘safe’ data transfers between the two regions without additional privacy safeguards.
The move follows 2020’s landmark Schrems II verdict where the EU’s top court struck down transfers between the two countries under “Privacy Shield” over concerns of disproportionate and invasive American surveillance of EU data.
“The new EU-U.S. Data Privacy Framework will ensure safe data flows for Europeans and bring legal certainty to companies on both sides of the Atlantic,” said EU President Ursula von der Leyen yesterday. US President Joe Biden added that “the decision reflects our joint commitment to strong data privacy protections and will create greater economic opportunities for our countries and companies on both sides of the Atlantic”.
What’s the basic structure of the framework? In policy terms, this agreement is called an ‘adequacy decision’. It stems from the EU’s privacy law (the General Data Protection Regulation), which allows data transfers from the EU to countries offering a comparable level of data protection as the EU. This adequacy decision basically applies to data transfers from public and private entities in the European Economic Area to US companies who have signed up to the EU-US Data Privacy Framework.
What are the data privacy safeguards like? US companies can join the framework by committing to various other privacy obligations, such as ensuring data is protected when shared with third parties, and deleting personal data when it is no longer needed.
The decision’s safeguards also stem from the White House’s Executive Order last year on the framework. They include limiting government access to data to whatever is “necessary and proportionate to protect national security”. Intelligence agencies will be monitored carefully to ensure that their surveillance activities are limited.
EU residents also get new rights under the framework—like the right to access their data, and to correct or delete incorrect or “unlawfully handled data”. The adequacy decision also mandates separate and stringent privacy protections for sensitive data (like health data) transferred between the two countries. Companies participating are expected to follow data minimisation practices, while ensuring that the data they have is factually accurate.
The US’ safeguards will also apply when EU data is transferred under other mechanisms, like standard contractual clauses or binding corporate clauses.
What if there’s a privacy violation? The newly-established two-tier complaints mechanism will investigate complaints on the collection and use of their data by American intelligence agencies. Under the two-tier complaints mechanism:
- A ‘Civil Liberties Protection Officer’ from the US Intelligence will investigate the complaint: They’re otherwise responsible for ensuring US government compliance with privacy and other rights.
- Decisions can be appealed before the Data Protection Review Court (DPRC): The Court, an independent body comprised of non-US government officials, will review the complaint. The DPRC has powers to access information from US intelligence agencies and to issue binding remedial verdicts. For example, it can order data deletion if it finds that the framework’s safeguards are violated.
Complaints don’t need to demonstrate misuse by intelligence authorities. They can also be submitted to the EU residents’ national data protection authority, who’ll then forward the complaint to the relevant body, or sent to the United States by the European Data Protection Board. EU residents can also avail of free and independent dispute resolution mechanisms, and arbitration too.
What next? The United States Department of Commerce will be administering the framework, while compliance with it will be enforced by the United States’ Federal Trade Commission. The framework’s functioning will also be periodically reviewed by European data protection authorities, the European Commission, and US authorities too. The first review will take place one year into the decision’s implementation.
STAY ON TOP OF TECH POLICY: Our daily newsletter with the top story of the day from MediaNama, delivered to your inbox before 9 AM. Click here to sign up today!
- Finally, The EU And US Inch Towards A Framework For “Safe” Cross-Border Personal Data Transfers
- What Privacy Commitments Will Underlie Cross-Border Data Flows Between The EU And US?
- How Does Geopolitics Shape Cross-Border Data Flows, And What Is India’s Diplomatic Stance? #PrivacyNama2022
- How Will The Data Protection Bill Approach Personal Data Transfers Outside Of India? #NAMA